BrightCloud to PAN-DB Migration with Panorama in Multi-Vsys Configuration

BrightCloud to PAN-DB Migration with Panorama in Multi-Vsys Configuration

15694
Created On 09/26/18 13:48 PM - Last Modified 11/13/20 19:54 PM


Environment


  • Any PAN-OS.
  • Any Panorama.
  • BrightCloud URL database.

Resolution


Overview

This document describes how to migrate from BrightCloud to PAN-DB database if the managed device has Panorama pushed URL Profiles with BrightCloud categories and is configured in multi-vsys mode.

Note: For a single vsys environment, see BrightCloud to PAN-DB Migration Process with Panorama.

 

Steps

  1. Verify whether Dynamic URL filtering is enabled on the device. 
    > set cli config-output-format set
> configure
# show deviceconfig setting url

    If it is configured, then delete the setting by running the following commands: 
    # delete deviceconfig setting url dynamic-url
# commit
  2. License the Palo Alto Networks device with PAN-DB license and activate the license on the device.
    1. Navigate to Device > Licenses
    2. Click Retrieve license keys from license server or Activate feature using auth code
  3. Download the URL DB initial seed file optimized for a specific region.
    1.   Navigate to Device > Licenses
    2.   Click Download under the Palo Alto Networks URL filtering
      pastedImage_0.png
  4. [On the firewall]: Activate PAN-DB (Device > Licenses). This should fail. That is the commit will fail and the local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud.
    Activate PAN-DB
  5. [On Panorama]: Switch database on Panorama from BrightCloud to PAN-DB with the following command: 
    > set system setting url-database paloaltonetworks
    [On the firewall]: Remove the Panorama-pushed shared configuration on the firewall.
    Navigate to Device > Setup > Panorama Settings and click “Disable Panorama Policy and Objects”, click OK to confirm.
    Note:  In the dialogue that appears, do not check the box for “Import Panorama Policy and Objects before disabling”.
  6. Screen+Shot+2014-04-02+at+3.58.16+PM.png
    Screen+Shot+2014-04-02+at+4.02.32+PM.png
  7. [On the firewall]: Enable Panorama to again push the shared configuration to the firewall.
    Navigate to Device > Setup > Panorama Settings and click “Enable Panorama Policy and Objects”, click OK to confirm.
    Screen+Shot+2014-04-02+at+4.04.19+PM.png
  8. [On Panorama]: Push the Panorama config one vsys at a time from Panorama
  9. [On the firewall]: Re-activate PAN-DB.
> set system setting url-database paloaltonetworks

In a High Availability (HA) environment, once the device is activated it will come up as "Non-functional" due to DB mismatch with the peer. Follow the additional steps below for the HA environment:

  1. Suspend the Active/Primary device, this will make the secondary device functional.
  2. Follow steps 3 through 9 above.

Note: Both devices are now using PAN-DB, once both devices are functional, failover back to the original Primary/Active device.

 

 

Additional Information


Note: BrightCloud URL is no longer sold by Palo Alto. The support will continue till July 31, 2021. Refer to the End of Sale announcements.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpdCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language